Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If lightweight forwarders are configured on laptops that are not always connected to a network, will it impact the client's performance?

Thomas_Aneiro
Explorer
‎03-30-2015 01:46 PM

Our desktop team is rolling out a new patch management service (Shavlik) which only sends a limited amount of logs to the central system. I wanted to see whether or not it would be managable to remotely configure lightweight forwarders on all the clients to send the logs through splunk. The only thing is many of these laptops do not connect to our network on a daily basis, either from being hard-wired or VPN. My concern is that if these devices are being used off network will the lightweight forwarder throw back errors because it cannot reach the heavy forwarder/indexes? Also, would this create excess logs in ESS via "Expected Host Not Reporting" incidents?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmunson_splunk
Splunk Employee
Splunk Employee
‎03-30-2015 02:33 PM

No this will not be a problem. The forwarder gracefully stops and waits for the indexer to become available again. It will log that it can't get to the indexer but that isn't a problem.

In ES you can state which devices are expected and which are intermittent so as long as you set this correctly it will not complain. But one thing to be aware of is ES normally only looks at the last 24 hours for security issues. If splunk doesn't get the logs for longer, it may not be detected. You can probably adjust the corrolation searches to allow for this.

View solution in original post

Reply
Solved! Jump to solution
Solution

bmunson_splunk
Splunk Employee
Splunk Employee
‎03-30-2015 02:33 PM

No this will not be a problem. The forwarder gracefully stops and waits for the indexer to become available again. It will log that it can't get to the indexer but that isn't a problem.

In ES you can state which devices are expected and which are intermittent so as long as you set this correctly it will not complain. But one thing to be aware of is ES normally only looks at the last 24 hours for security issues. If splunk doesn't get the logs for longer, it may not be detected. You can probably adjust the corrolation searches to allow for this.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...